>Obviously, this doesn't scale well. It would be nice
>just to need two lines like:
>spdadd 0.0.0.0/0 DLNET any -P out ipsec esp/tunnel/R-(=PEER)/require;
>where (=PEER) would evaluate to the actual connection partner from
>DLNET at runtime.
we don't dynamically generate policy in the kernel. if you are using
racoon for IKE, "generate_policy" directive may suit you needs.
itojun